If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

My goal is to fakeauth with my alfa card to my AP by using a PRGA .xor generated via a fragmentation attack. Yes I know there are other ways I can inject (e.g. spoof my other client's MAC as my own after deauthing the other client, etc and fakeauth as that source mac). I don't want to do that because in a real life scenario (i.e. a pentest) it could be noticed and a good attacker probably would try to avoid it. Anyway - that aside, I must be missing something stupid here:

First I monitor my AP via airpdump-ng with:

Code:

airodump-ng -c 6 --bssid $ap -w wepviaclient wlan0

And see the output w/ no problem, my PC connected to it, etc. (I'm posting this from a different computer so I can't copy and paste the output right now and I don't think it's necessary for this cause I know it's correct).

The one thing I don't quite understand are the -l and -k switches when generating the .xor (I assume this is just so the AP will pass the packet through but some clarification there might be the key). Any ideas what I'm doing wrong? I feel like it's something very simple that I'm missing. In the mean time, turning off SKA or generating ARPs as an auth'd client works fine to increase IVs and I have already cracked the key several times. I don't know if this is really relevant to the course or not but I really want to know why this doesn't work.

Re: Aircrack-ng: Fakeauth against WEP-SKA w/ PRGA .xor

No MAC filter - it's my AP and I know it's off. If I auth against it w/ open authentication it works fine. It's only when using SKA that I can't associate. I don't really see how the PRGA xor can be used to generate the key - or is it just being used to make it look like I already have the key and sent the association encrypted w/ a valid PRGA?

Thanks for helping out Quartercask, I've been having the same problem as ThePistonDoctor and tried your solution. I just get a 108 byte file from packetforge which can't be used for the fakeauth.

I can happily crack the AP (my home router) if I use open WEP or WPA2 (with the password in the wordlist of course), but as soon as I change to shared key WEP I get the same problem of "Authentication 1/2 successful...Challenge failure" repeated over and over again.

I've tried changing my mac to that of the authorised client and I still get the same problem (with and without the client being active).

I can't find a solution anywhere on the web (though the aircrack-ng forums are down atm) despite searching for a number of hours.

Anyone find a solution for a total noob like me?

Cheers,
Demented

P.S. AP is a TP-Link TL-WR1043N. Client is an old Dell Inspiron and penetration box is a Asus M51vm running BT5r2 with an intel WiFi Link 5100 (apt upgrade and dist-upgrade run this morning 3-June-12).

Re: Aircrack-ng: Fakeauth against WEP-SKA w/ PRGA .xor

Just create an entry in you MAC inclusion list on your router settings to include the faked MAC you want to use for the attack. If you use an Alfa card and then change it's MAC, it can no longer associate with ifconfig settings. If you do include the fake MAC into the inclusion list, you can continue to function on the same interface without the issue of inconsistency.
I have generated a series of inclusions into my AP so I can have a choice depending on the situation, and this will still allow you to connect to your AP after you use macchanger.

Riferimento: Re: Aircrack-ng: Fakeauth against WEP-SKA w/ PRGA .xor

Originally Posted by darcstar

Just create an entry in you MAC inclusion list on your router settings to include the faked MAC you want to use for the attack. If you use an Alfa card and then change it's MAC, it can no longer associate with ifconfig settings. If you do include the fake MAC into the inclusion list, you can continue to function on the same interface without the issue of inconsistency.
I have generated a series of inclusions into my AP so I can have a choice depending on the situation, and this will still allow you to connect to your AP after you use macchanger.

A key that is completely random (maximum entropy) without any pattern, using any andom alpha-numeric characters (a-z, A-Z, 0-9)...62 possible characters.
WPA-PSK TKIP (RC4)
I am curious how many centuries it would take!